OpenVPN Server portforward help

pietruzzo · May 20, 2018, 9:08pm

Hello guys, I am trying to bring up an easy OpenVPN Server configuration on a Lede i686 ESXi VM.

My setup is the following:
BT HomeHub 5a (pppoe-wan) > lan 172.12.0.0/24 > ESXi Lede VM 172.12.0.118.
Basically I want to deploy the OpenVPN Server on the Lede VM instead of the gw.

On the BT HomeHub 5a(gw) I added the following configuration to open and forward 1194 inbound traffic:
/etc/config/firewall

config rule
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'
        option src '*'
        option proto 'tcpudp'
        option dest_port '1194'

config redirect
        option name 'vpn'
        option target 'ACCEPT'
        option src_dport '1194'
        option proto 'tcpudp'
        option dest_ip '172.12.0.118'
        option src 'wan'
        option dest 'lan'

While on the Lede VM I have done the following:
/etc/config/network

config interface 'lan'
        option ifname 'eth0'
        option proto 'dhcp'

config interface 'int_switch'
        option type 'bridge'
        option proto 'static'
        option ifname 'eth1 tun0'
        option ipaddr '10.0.1.1'
        option netmask '255.255.255.0'
        option delegate '0'

config interface 'vpn'
        option ifname 'tun0'
        option proto 'none'
        option auto '1'

/etc/firewall.user

iptables -t nat -A PREROUTING -p udp -i int_switch --dport 1194 -j ACCEPT;

iptables -A INPUT -p udp -i int_switch --dport 1194 -j ACCEPT;

iptables -I INPUT -i tun+ -j ACCEPT;

iptables -I FORWARD -i tun+ -j ACCEPT;

iptables -I OUTPUT -o tun+ -j ACCEPT;

iptables -I FORWARD -o tun+ -j ACCEPT;

# Allow traffic initiated from VPN to access LAN
iptables -I FORWARD -i tun0 -o int_switch -s 10.8.0.0/24 -d 10.0.1.0/24 -m conntrack --ctstate NEW -j ACCEPT;

# Allow traffic initiated from VPN to access "the world"
iptables -I FORWARD -i tun0 -o int_switch -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT;


# Allow established traffic to pass back and forth
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT;

# Masquerade traffic from VPN to "the world" -- done in the nat table
iptables -t nat -I POSTROUTING -o int_switch -s 10.8.0.0/24 -j MASQUERADE;

# Masquerade traffic from LAN to "the world"
iptables -t nat -I POSTROUTING -o int_switch -s 10.0.1.0/24 -j MASQUERADE;

/etc/config/openvpn

config 'openvpn' 'VPNserver'
       option 'enabled' '1'
       # Protocol
       option 'tls_server' '1'
       option 'port' '1194'
       option 'proto' 'udp'
       option 'topology' 'subnet'
       option 'dev' 'tun'
       option 'dev' 'tun0'
       # Auth & Certs
       option 'ca'  '/etc/openvpn/keys/ca.crt'
       option 'cert' '/etc/openvpn/keys/server.crt'
       option 'key'  '/etc/openvpn/keys/server.key' 
       option 'dh'   '/etc/easy-rsa/keys/dh2048.pem'
       # Routes              
       option 'server'   '10.8.0.0 255.255.255.0'
       option 'ifconfig' '10.8.0.1 255.255.255.0'
       # Clients routes & configs
       list 'push' 'redirect-gateway def1' # this redirects all traffic over vpn
       list 'push' 'route 10.0.1.0 255.255.255.0'
       option 'client_to_client' '1'
       option 'comp_lzo' 'no'
       option 'keepalive' '10 120'
       option 'status' '/tmp/openvpn.status'
       option 'persist_key' '1'
       option 'persist_tun' '1'
       option 'verb' '3'
       option 'mute' '20' 
       # Connection Speed
       option  'sndbuf' '393216'
       option  'rcvbuf' '393216'
       option  'fragment' '0'
       option  'mssfix'   '0'
       option  'tun_mtu'  '48000'
       # Pushed Buffers
       list 'push' 'sndbuf 393216'
       list 'push' 'rcvbuf 393216'

However when I try to connect I get the following error:

Sun May 20 13:49:16 2018 OpenVPN 2.3.18 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [
PKCS11] [IPv6] built on Oct 26 2017
Sun May 20 13:49:16 2018 Windows version 5.1 (Windows XP) 32bit
Sun May 20 13:49:16 2018 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10

Sun May 20 13:49:16 2018 WARNING: No server certificate verification method has
been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sun May 20 13:49:16 2018 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun May 20 13:49:16 2018 UDPv4 link local: [undef]
Sun May 20 13:49:16 2018 UDPv4 link remote: [AF_INET]86.155.19.13:1194
Sun May 20 13:49:16 2018 read UDPv4: Connection reset by peer (WSAECONNRESET) (c
ode=10054)
Sun May 20 13:49:18 2018 read UDPv4: Connection reset by peer (WSAECONNRESET) (c
ode=10054)
Sun May 20 13:49:22 2018 read UDPv4: Connection reset by peer (WSAECONNRESET) (c
ode=10054)
Sun May 20 13:49:30 2018 read UDPv4: Connection reset by peer (WSAECONNRESET) (c
ode=10054)
Sun May 20 13:49:46 2018 read UDPv4: Connection reset by peer (WSAECONNRESET) (c
ode=10054)
Sun May 20 13:50:16 2018 TLS Error: TLS key negotiation failed to occur within 6
0 seconds (check your network connectivity)
Sun May 20 13:50:16 2018 TLS Error: TLS handshake failed
Sun May 20 13:50:16 2018 SIGUSR1[soft,tls-error] received, process restarting
Sun May 20 13:50:16 2018 Restart pause, 2 second(s)
Sun May 20 13:50:18 2018 WARNING: No server certificate verification method has
been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sun May 20 13:50:18 2018 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun May 20 13:50:18 2018 UDPv4 link local: [undef]
Sun May 20 13:50:18 2018 UDPv4 link remote: [AF_INET]86.155.19.13:1194
Sun May 20 13:50:18 2018 read UDPv4: Connection reset by peer (WSAECONNRESET) (c
ode=10054)

If I am not mistaken this means the client wasn't able to reach to the server and connection is dropped.

On the Lede VM (OpenVPN Server) this is how the situation looks like:

br-int_switch Link encap:Ethernet  HWaddr 00:0C:29:DA:E9:64  
          inet addr:10.0.1.1  Bcast:10.0.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:feda:e964/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:570 errors:0 dropped:2 overruns:0 frame:0
          TX packets:985 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:58831 (57.4 KiB)  TX bytes:87099 (85.0 KiB)

eth0      Link encap:Ethernet  HWaddr 00:0C:29:DA:E9:5A  
          inet addr:172.12.0.118  Bcast:172.12.0.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:feda:e95a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:113965 errors:0 dropped:0 overruns:0 frame:0
          TX packets:105466 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:12969781 (12.3 MiB)  TX bytes:32789884 (31.2 MiB)
          Interrupt:19 Base address:0x2000 

eth1      Link encap:Ethernet  HWaddr 00:0C:29:DA:E9:64  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:570 errors:0 dropped:0 overruns:0 frame:0
          TX packets:985 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:66811 (65.2 KiB)  TX bytes:87099 (85.0 KiB)
          Interrupt:18 Base address:0x2080 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:110 errors:0 dropped:0 overruns:0 frame:0
          TX packets:110 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:10435 (10.1 KiB)  TX bytes:10435 (10.1 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

root@LEDE:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.12.0.1      0.0.0.0         UG    0      0        0 eth0
10.0.1.0        0.0.0.0         255.255.255.0   U     0      0        0 br-int_switch
10.0.2.0        0.0.0.0         255.255.255.0   U     0      0        0 eth2
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
172.12.0.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0
172.12.0.1      0.0.0.0         255.255.255.255 UH    0      0        0 eth0

As you can probably see, I am very bad when it comes of networking and worse firewalling. Any help will be highly appreciated.

pietruzzo · May 20, 2018, 9:37pm

Oh, I forgot to mention,

I don't need to route lan eth0 in the VPN, but rather int_switch eth1, which is an interface I use to serve data to another VM. I am trying to build a small home lab

pietruzzo · May 20, 2018, 9:44pm

Turns out 1194 seems to be closed both on client and wan.

psammarco@ThinkPad ~ $ nmap -p 1194 172.12.0.118
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-20 22:41 BST
Nmap scan report for LEDE.internal (172.12.0.118)
Host is up (0.0021s latency).

PORT     STATE  SERVICE
1194/tcp closed openvpn

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
psammarco@ThinkPad ~ $ nmap -p 1194 86.155.19.13
Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-20 22:42 BST
Nmap scan report for host86-155-19-13.range86-155.btcentralplus.com (86.155.19.13)
Host is up (0.0029s latency).

PORT     STATE  SERVICE
1194/tcp closed openvpn

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

Firewall, just like I suspected